Thursday, March 15, 2012

CPE: McAfee AudioParasitic: Episode 11 rootkit detective part 1

length: 20:21

Discussion with Ahmed Sallam the developer who wrote rootkit detective

Ahmed background: started 17 years ago when working on a project on writing a different windows operating system (MS 5.0 and Win 3.0) in arabic version- from left to right
Because of the need to write in arabic, I have to break EVERY SINGLE piece of operating system, the display, I/O, network...
Hence I have seen these potential since very long time.
Everything that has been discussed in the last couple years about rootkit, actually I have known for loooong time ago, going back to more than 15 years ago.

There is only one difference between the malware writer and security researcher: the intention.

The technique to manipulate mapping is well known

Sony BMG technique is known

what is now well known is people fining new area or new data structure inside windows operating system that is good to attack.

Shadow walker was promoted as brand new - but from Ahmed point of view, it's nothing new.

We know this could happen - we know if someone has the knowledge and the skill - these kind of rootkit will exists.... The problem so far, most of the people think this is far too complex and difficult to implement, but McAfee is aware the potential and aware that sooner or later this type of rootkit will emerge.

Rootkit Detective is a stand alone stinger.
The philosophy it to detect rootkit.
It requires change in the engine for memory scanning.
Memory based analysis: signature based with some level of behavioral analysis.

Then the tool: Rootkit Detective is without any signature - purely relies on behavioral analysis.

There is a big decision making which methods that should be implemented on the first release that is sufficient for today and short/mid term - and which methods that should be kept for future releases.

We have many methods/technique for rootkit detection - but we should not implement all in the first release... as a subset of methods is already sufficient for current being.
These methods, include:
- tool for system integrity checking
- tool to compare the enumeration to identification hiding
- tool with internal AV engine for rootkit signature - memory based scanning
- tool view all malicious modification that has been made
- detection of hidden process & files
- tool that allow user to modify

Rootkit detective is not integrated in AV because it is because not signature based!!!

Many challenges on repairing!!!
- simplest rootkit: insert code - which can be replaced
- change of data structure / network stack / file system - this is very very tricky.
because when action is taken - windows system might still have some pointer to the code that no longer exist, need to make sure to disable ALL pointers.